TechSpot

That fake "Chrome" browser.exe infection

Solved
By Eric Witzling
Aug 28, 2014
  1. Bit of history on this one.

    Two days ago I was called in because the computer was operating slowly. Taking a look, there were dozens of dllhost.exe processes running, taking up memory space largely in the 30MB to 250MB range. I ran normal cleanup tools up to and including tdsskiller (which cured two Win32.patched.pj trojans infecting c:\Windows\system32\rpcss.dll - identified as "DcomLaunch" and "RpcSs" services), rkill, JRT, adwcleaner, and combofix. Following that, I allowed the onboard A/V and anti-malware (Vipre Business and MalwareBytes) to run manual scans, along with SuperAntiSpyware portable.

    The tdss-detected trojans remained gone and the dllhost.exe processes never returned, and things seemed OK. Yesterday, however, users reported "Chrome Errors" popping up on-screen where it would crash. Chrome is installed on the PC, but it was not in use, and I was instead seeing dozes of "browser.exe" processes running, and also "werfault.exe"s as the errors built up.

    The browser.exe processes are task-killable, but pop up shortly afterward. I traced them to some folders in the user's LocalLow directory (CottonVisual, ReceiverRadio, ReceiverSync) that are recreated even if deleted. This seems to be a pretty recent type of infection, which nothing has caught up to yet. Will appreciate any and all advice.

    -----------------------------------------------

    I can't install the version of MalwareBytes you mention, because MB has already been on and installed for years. There is a monitoring and maintenance software package on these computers that include MB 1.65.1.1000

    I can paste the log from the manual scan I ran after the other tools, however:

    Malwarebytes Anti-Malware (MSP) 1.65.1.1000
    www.malwarebytes.org

    Database version: v2014.08.26.04

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    bella :: NCJAR-NEX-1011 [administrator]

    Protection: Enabled

    8/26/2014 4:08:03 PM
    mbam-log-2014-08-26 (16-08-03).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 629629
    Time elapsed: 1 hour(s), 35 minute(s), 21 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 1
    HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\ (Rootkit.Poweliks) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\ProgramData\OhlapGedce\OhlapGedce.dat (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Users\setup\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\etzia.exe (Trojan.Zbot.gen) -> Quarantined and deleted successfully.

    (end)


    -------------------------------

    I cannot at the moment run DDS with the PC offline and A/V disconnected. If you need me to do that, I should be able to at a later date. Results are below:

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16545
    Run by bella at 11:04:33 on 2014-08-28
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3493.2394 [GMT -4:00]
    .
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\system32\IProsetMonitor.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\PROGRA~1\SAAZOD\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\PROGRA~1\SAAZOD\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\PROGRA~1\SAAZOD\zRealTime\SAAZappr.exe
    C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe
    C:\PROGRA~1\SAAZOD\SAAZScheduler.exe
    C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe
    C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe
    C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe
    C:\PROGRA~1\SAAZOD\zRealTime\rtHlpDk.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
    C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe
    C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\rundll32.exe
    C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Windows\system32\UI0Detect.exe
    C:\PROGRA~1\SAAZOD\zSCC\zInCCM.exe
    C:\PROGRA~1\SAAZOD\zSCC\zCCM.exe
    C:\Windows\Explorer.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\timeout.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
    uRun: [ocx] "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden "[reflection.assembly]::load((gp -path 'hkcu:software\classes\clsid').OCX).GetType('gm.ks').GetMethod('m').Invoke(0,@('Installer'));"
    uRun: [BrowserWireless] c:\windows\system32\rundll32.exe "c:\users\bella\appdata\local\browserwireless\BrowserWireless.dll",DllRegisterServer
    mRun: [IAStorIcon] c:\program files\intel\intel(r) rapid storage technology\IAStorIcon.exe
    mRun: [RTHDVCPL] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
    mRun: [NUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
    mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
    mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
    mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
    mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
    mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
    mRun: [PC Meter Connect] c:\program files\pitney bowes\pc meter connect\mailstationAssistant.exe minimize
    mRun: [SBAMTray] "c:\program files\gfi software\gfiagent\SBAMTray.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRunOnce: [Launcher] c:\program files\sminst\Launcher.exe
    StartupFolder: c:\users\bella\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\bella\appdata\roaming\dropbox\bin\Dropbox.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://control.itsupport247.net/components/swflash.cab
    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=722
    TCP: NameServer = 192.168.0.20
    TCP: Interfaces\{C8C75108-648B-43C0-B933-860C92875C7D} : NameServer = 192.168.0.20,8.8.8.8,208.67.222.222
    TCP: Interfaces\{C8C75108-648B-43C0-B933-860C92875C7D} : DHCPNameServer = 192.168.0.20
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WebCheck - <orphaned>
    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\37.0.2062.94\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
    IFEO: ehshell.exe - "c:\program files\logmein\x86\LogMeInSystray.exe" -MceShellRedirect
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2011-10-17 13592]
    R2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2011-10-17 112800]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 375120]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 13624]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-10-20 47640]
    R2 MBAMScheduler;MBAMScheduler;c:\progra~1\saazod\malwarebytes' anti-malware\mbamscheduler.exe [2013-1-6 399432]
    R2 MBAMService;MBAMService;c:\progra~1\saazod\malwarebytes' anti-malware\mbamservice.exe [2013-1-6 676936]
    R2 SAAZappr;SAAZ RMM Agent Presence-PR;c:\progra~1\saazod\zrealtime\SAAZappr.exe [2011-5-31 82760]
    R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\saazod\SAAZDPMACTL.exe [2011-10-19 86856]
    R2 SAAZScheduler;SAAZScheduler;c:\progra~1\saazod\SAAZScheduler.exe [2011-10-19 77824]
    R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\saazod\SAAZServerPlus.exe [2009-4-30 77824]
    R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\saazod\SAAZWatchDog.exe [2011-10-19 86856]
    R2 SBAMSvc;VIPRE Business;c:\program files\gfi software\gfiagent\SBAMSvc.exe [2012-10-16 3675976]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2012-8-1 66344]
    R2 SBPIMSvc;SB Recovery Service;c:\program files\gfi software\gfiagent\SBPIMSvc.exe [2012-10-16 175496]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\intel\intel(r) management engine components\uns\UNS.exe [2011-10-17 2656536]
    R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2011-10-17 269824]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-1-6 22856]
    R3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-10-17 41088]
    R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2011-6-10 69504]
    R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2011-6-10 161664]
    R3 sbwtis;sbwtis;c:\windows\system32\drivers\sbwtis.sys [2012-10-15 75552]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\DM150Drv.sys [2010-7-30 20600]
    S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
    S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-5-16 43368]
    S3 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe --> c:\progra~1\mcafee\sitead~1\mcsacore.exe [?]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
    S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-10-20 1343400]
    S4 SAAZapsc;SAAZ RMM Agent Presence-SC;c:\progra~1\saazod\zrealtime\SAAZapsc.exe [2011-5-31 82760]
    S4 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\saazod\SAAZRemoteSupport.exe [2011-10-19 78664]
    S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
    S4 ZEvtSVC;ZEvtSVC;c:\progra~1\saazod\zscc\zEvtSVC.exe [2011-8-9 232752]
    .
    =============== Created Last 30 ================
    .
    2014-08-28 14:11:46 -------- d-sh--w- C:\$RECYCLE.BIN
    2014-08-28 13:57:20 -------- d-----w- C:\ComboFix
    2014-08-28 13:42:31 -------- d-----w- C:\FRST
    2014-08-28 09:15:52 62576 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d12a5873-8071-40f5-b2be-dc99599d41db}\offreg.dll
    2014-08-28 09:14:45 8581864 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d12a5873-8071-40f5-b2be-dc99599d41db}\mpengine.dll
    2014-08-27 17:28:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
    2014-08-26 20:12:31 -------- d-----w- c:\users\bella\appdata\roaming\SUPERAntiSpyware.com
    2014-08-26 20:12:31 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2014-08-26 18:56:51 98816 ----a-w- c:\windows\sed.exe
    2014-08-26 18:56:51 256000 ----a-w- c:\windows\PEV.exe
    2014-08-26 18:56:51 208896 ----a-w- c:\windows\MBR.exe
    2014-08-26 18:45:13 -------- d-----w- c:\windows\ERUNT
    2014-08-26 18:40:52 -------- d-----w- C:\AdwCleaner
    2014-08-26 18:22:41 -------- d-----w- C:\TDSSKiller_Quarantine
    2014-08-26 04:48:58 -------- d-----w- c:\programdata\OhlapGedce
    2014-08-25 03:56:23 -------- d-----w- C:\5a792bb
    2014-08-23 22:30:50 -------- d-----w- c:\users\bella\appdata\local\BrowserWireless
    2014-08-21 04:04:09 509440 ----a-w- c:\windows\system32\qedit.dll
    2014-08-17 12:54:22 -------- d-----w- c:\users\bella\appdata\local\ServerAudio
    2014-08-12 19:35:24 -------- d--h--w- c:\programdata\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
    2014-08-03 09:11:17 -------- d-----w- c:\users\bella\appdata\roaming\b65b63
    2014-08-03 09:11:12 -------- d-----w- c:\users\bella\appdata\local\b65b63
    2014-08-03 09:10:01 -------- d-----w- c:\users\bella\appdata\local\3328503800
    .
    ==================== Find3M ====================
    .
    2014-08-26 18:32:04 376832 ----a-w- c:\windows\system32\rpcss.dll
    2014-08-05 13:20:02 231584 ------w- c:\windows\system32\MpSigStub.exe
    2014-07-19 13:10:33 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2014-07-19 13:10:33 53064 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
    2014-07-19 13:10:32 85832 ----a-w- c:\windows\system32\LMIinit.dll
    2014-07-19 13:10:32 31560 ----a-w- c:\windows\system32\LMIport.dll
    2014-06-18 01:51:32 646144 ----a-w- c:\windows\system32\osk.exe
    2014-06-18 00:52:00 2350080 ----a-w- c:\windows\system32\win32k.sys
    2014-06-09 13:08:49 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
    2014-06-05 14:26:50 1059840 ----a-w- c:\windows\system32\lsasrv.dll
    .
    ============= FINISH: 11:05:16.65 ===============




    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 10/19/2011 5:00:53 PM
    System Uptime: 8/28/2014 9:35:53 AM (2 hours ago)
    .
    Motherboard: Intel Corporation | | DH67BL
    Processor: Intel(R) Core(TM) i3-2102 CPU @ 3.10GHz | LGA1155 | 1581/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 455 GiB total, 403.56 GiB free.
    E: is Removable
    G: is CDROM ()
    R: is NetworkDisk (NTFS) - 250 GiB total, 173.813 GiB free.
    T: is NetworkDisk (NTFS) - 250 GiB total, 173.813 GiB free.
    U: is NetworkDisk (NTFS) - 250 GiB total, 173.813 GiB free.
    W: is NetworkDisk (NTFS) - 250 GiB total, 173.813 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: mbr
    Device ID: ROOT\LEGACY_MBR\0000
    Manufacturer:
    Name: mbr
    PNP Device ID: ROOT\LEGACY_MBR\0000
    Service: mbr
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: SASDIFSV
    Device ID: ROOT\LEGACY_SASDIFSV\0000
    Manufacturer:
    Name: SASDIFSV
    PNP Device ID: ROOT\LEGACY_SASDIFSV\0000
    Service: SASDIFSV
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: SASKUTIL
    Device ID: ROOT\LEGACY_SASKUTIL\0000
    Manufacturer:
    Name: SASKUTIL
    PNP Device ID: ROOT\LEGACY_SASKUTIL\0000
    Service: SASKUTIL
    .
    Class GUID: {36fc9e60-c465-11cf-8056-444553540000}
    Description: Unknown Device
    Device ID: USB\VID_0000&PID_0000\6&1A0384BD&0&2
    Manufacturer: (Standard USB Host Controller)
    Name: Unknown Device
    PNP Device ID: USB\VID_0000&PID_0000\6&1A0384BD&0&2
    Service:
    .
    ==== System Restore Points ===================
    .
    RP7551: 7/18/2014 5:44:15 AM - Windows Update
    RP7552: 7/21/2014 9:42:48 PM - Windows Update
    RP7553: 7/21/2014 9:43:44 PM - Windows Update
    RP7554: 7/21/2014 9:44:01 PM - Windows Update
    RP7555: 7/21/2014 9:44:27 PM - Windows Update
    RP7556: 7/21/2014 9:44:52 PM - Windows Update
    RP7557: 8/26/2014 7:24:00 PM - Scheduled Checkpoint
    RP7558: 8/28/2014 5:13:55 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Reader XI (11.0.07)
    Avery Wizard 4.0
    D3DX10
    Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Dropbox
    FileMaker Pro 8.5
    GFI Business Agent
    Google Chrome
    Google Update Helper
    Intel(R) Control Center
    Intel(R) Management Engine Components
    Intel(R) Network Connections 16.5.2.0
    Intel(R) Processor Graphics
    Intel(R) Rapid Storage Technology
    ITSupport247-DPMA
    Junk Mail filter update
    KONICA MINOLTA bizhub 751/601
    LG CyberLink LabelPrint
    LG CyberLink Power2Go
    LG CyberLink PowerBackup
    LG CyberLink YouCam
    LG Power Tools
    LogMeIn
    Malwarebytes Anti-Malware version 1.65.1.1000
    Mesh Runtime
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft IntelliPoint 8.2
    Microsoft IntelliType Pro 8.2
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Home and Business 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Single Image 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft XML Parser
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    Nexlink Recovery Center
    PC Meter Connect
    Realtek High Definition Audio Driver
    Renesas Electronics USB 3.0 Host Controller Driver
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2931365)
    Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2767915) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2810073) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2880971) 32-Bit Edition
    Security Update for Microsoft Publisher 2010 (KB2553147) 32-Bit Edition
    ShopAtHome.com Helper
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
    Update for Microsoft Excel 2010 (KB2837600) 32-Bit Edition
    Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition
    Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2837581) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2837606) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2878252) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition
    Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition
    Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
    Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition
    Update for Microsoft Visio 2010 (KB2880526) 32-Bit Edition
    Update for Microsoft Visio Viewer 2010 (KB2837587) 32-Bit Edition
    Update for Microsoft Word 2010 (KB2880529) 32-Bit Edition
    Windows Driver Package - Pitney Bowes (DM150Drv) USB (07/04/2010 2.0.1.5)
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live Remote Client
    Windows Live Remote Client Resources
    Windows Live Remote Service
    Windows Live Remote Service Resources
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/28/2014 9:36:28 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
    8/28/2014 9:36:14 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain NORTHCENT due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
    8/28/2014 9:30:15 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WPDBusEnum service.
    8/28/2014 9:28:54 AM, Error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:54 AM, Error: Service Control Manager [7034] - The Interactive Services Detection service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:54 AM, Error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    8/28/2014 9:28:46 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The SB Recovery Service service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The SAAZWatchDog service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The SAAZServerPlus service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The SAAZScheduler service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The SAAZDPMACTL service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The SAAZ RMM Agent Presence-PR service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The MBAMScheduler service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The LogMeIn service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The LogMeIn Maintenance Service service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The LMIGuardianSvc service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The Intel(R) Rapid Storage Technology service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The Intel(R) PROSet Monitoring Service service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The Intel(R) Management and Security Application User Notification Service service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7034] - The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s).
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
    8/28/2014 9:28:45 AM, Error: Service Control Manager [7031] - The Intel(R) Management and Security Application Local Management Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
    8/28/2014 10:10:42 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    8/26/2014 4:08:59 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer NCJARTERM that believes that it is the master browser for the domain on transport NetBT_Tcpip_{C8C75108-648B-43C0-B933-860C9287. The master browser is stopping or an election is being forced.
    .
    ==== End Of File ===========================
     
  2. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===============================

    You need to uninstall your MBAM version and install the newest one.

    Why exactly are you offline and why your AV program is off?
     
  3. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    The PC was not offline. I mentioned that I could not run DDS with the network disconnected, as I was only able to connect remotely at that point. (Step 3, Note 1 suggests "After downloading the tool, disconnect from the internet and disable all antivirus protection.") I was specifying that I did not do that before running DDS and linking the logs above, but that I could disconnect at another time if necessary.

    I cannot really make changes to MalwareBytes on this machine, as it is a part of the installed platform, and is driven by back-end software. They are licensed only for this version. Quick tests run every day, and full scans every two days. If I change up the software, it will break their scripting. Unless there is a portable version of MBAM 2.0 you can point me to. (But I think those are only available with a technician subscription.) Or do you know if MBAM 2.0 can be installed in tandem with an earlier version? (I am not aware that it can do this, either.)

    Can we proceed with other tools, or work off the existing DDS logs above?
     
  4. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    [​IMG] Download RogueKiller from one of the following links and save it to your Desktop:

    Link 1
    Link 2

    • Close all the running programs
    • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    Download [img=[url]http://www.imgdumper.nl/uploads6/51a5f31352f71/51a5f31352b88-icon_MBAR.png][/url]Malwarebytes Anti-Rootkit to your desktop.
    • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
    • Double click on downloaded file. OK self extracting prompt.
    • MBAR will start. Click "Next" to continue.
    • Click in the following screen "Update" to obtain the latest malware definitions.
    • Once the update is complete select "Next" and click "Scan".
    • When the scan is finished and no malware has been found select "Exit".
    • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
    • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
      • "mbar-log-{date} (xx-xx-xx).txt"
      • "system-log.txt"

    P. S. I'm going out of town this afternoon. I'll be back on Sunday evening.
     
  5. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    Thanks for the continuance. As a quick aside, when the browser.exe processes were constantly being re-created I noticed there were some rundll32.exe processes in the background as well. When I killed both of those as well, the browser.exe problem did not return, and nothing else was showing "browser crash" errors. So thankfully for now things are under control. (Just not yet cured at the source.)

    ----------------------------------------------

    RogueKiller V9.2.8.0 [Jul 11 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : bella [Admin rights]
    Mode : Remove -- Date : 08/29/2014 16:30:08

    ¤¤¤ Bad processes : 2 ¤¤¤
    [Proc.Svchost] svchost.exe -- C:\Windows\System32\svchost.exe[x] -> [NoKill]
    [Suspicious.Path] (SVC) catchme -- \??\C:\Users\bella\AppData\Local\Temp\catchme.sys[x] -> STOPPED

    ¤¤¤ Registry Entries : 28 ¤¤¤
    [Suspicious.Path] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | gphuntu : rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\gphuntu.dll",gphuntu [x] -> DELETED
    [Suspicious.Path] HKEY_USERS\S-1-5-21-336078627-3664855205-978596220-1153\Software\Microsoft\Windows\CurrentVersion\Run | BrowserWireless : C:\Windows\system32\rundll32.exe "C:\Users\bella\AppData\Local\BrowserWireless\BrowserWireless.dll",DllRegisterServer [x] -> DELETED
    [Suspicious.Path] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | gphuntu : rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\gphuntu.dll",gphuntu -> ERROR [2]
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme -> NOT SELECTED
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SASDIFSV -> NOT SELECTED
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SASKUTIL -> NOT SELECTED
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mbr -> NOT SELECTED
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme -> NOT SELECTED
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASDIFSV -> NOT SELECTED
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASKUTIL -> NOT SELECTED
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mbr -> NOT SELECTED
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme -> NOT SELECTED
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SASDIFSV -> NOT SELECTED
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SASKUTIL -> NOT SELECTED
    [PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> NOT SELECTED
    [PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> NOT SELECTED
    [PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> NOT SELECTED
    [PUM.StartMenu] HKEY_USERS\S-1-5-21-336078627-3664855205-978596220-1153\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> NOT SELECTED
    [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED
    [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> NOT SELECTED
    [PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> NOT SELECTED
    [PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> NOT SELECTED
    [PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> NOT SELECTED
    [PUM.SearchPage] HKEY_USERS\S-1-5-21-336078627-3664855205-978596220-1153\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> NOT SELECTED
    [PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> NOT SELECTED
    [Tr.Poweliks] HKEY_USERS\.DEFAULT\Software\classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} -> DELETED
    [Tr.Poweliks] HKEY_USERS\S-1-5-21-336078627-3664855205-978596220-1153\Software\classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} -> DELETED
    [Tr.Poweliks] HKEY_USERS\S-1-5-18\Software\classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} -> ERROR [2]

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ HOSTS File : 1 ¤¤¤
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

    ¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: WDC WD5000AAKX-001CA0 +++++
    --- User ---
    [MBR] d452d056636c092a221d95c01a4bfb7c
    [BSP] 84e48c58e691bbec0181b4693c809b20 : HP MBR Code
    Partition table:
    0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10679 MB
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 21872640 | Size: 466260 MB
    User = LL1 ... OK
    User = LL2 ... OK

    +++++ PhysicalDrive1: Multi Flash Reader USB Device +++++
    Error reading User MBR! ([15] The device is not ready. )
    Error reading LL1 MBR! NOT VALID!
    Error reading LL2 MBR! ([32] The request is not supported. )


    ============================================
    RKreport_SCN_08292014_162914.log


    ------------------------------------------------------------------------------------------------------


    MBAR detected no malware, so not logs to post.



    Thanks for your time, meanwhile. Have a great weekend!
     
  6. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Still here for a bit...

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  7. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    I'll check in on it later this weekend. I ran Rkill and Combofix multiple times while trying to suss things out before posting here, so I don't think they'd do much anyway.

    I haven't noticed the behavior returning after a reboot, so I think RogueKiller may have been what found and removed the active component. I'll see if it comes back over time and after a few reboots, and follow up here as necessary.


    Start having that great weekend now. ;-)
     
  8. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    I posted my rules at the very beginning.
    One of them says:

    The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

    I need to see Combofix log.
    Then we'll continue with more scans.
     
  9. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    I know. Just making a guess. I can't run anything else until later on.
     
  10. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    P. S. I'm going out of town this afternoon. I'll be back on Sunday evening.
     
  11. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    There were some popups waiting for me after I ran Combofix. browser.exe and two rundll32.exe processes have been waiting for me in the background. They were not there before I ran Combofix just now, leading me to believe they're attached to explorer.exe restarting. (Maybe a network process?)

    Combofix itself ran without issue, however.

    ------------------------------

    ComboFix 14-08-31.01 - bella 09/01/2014 15:33:18.3.4 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3493.2122 [GMT -4:00]
    Running from: c:\download\ComboFix.exe
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\drivers\etc\lmhosts
    .
    .
    ((((((((((((((((((((((((( Files Created from 2014-08-01 to 2014-09-01 )))))))))))))))))))))))))))))))
    .
    .
    2014-09-01 19:42 . 2014-09-01 19:42 -------- d-----w- c:\users\setup\AppData\Local\temp
    2014-09-01 19:42 . 2014-09-01 19:42 -------- d-----w- c:\users\mor1\AppData\Local\temp
    2014-09-01 19:42 . 2014-09-01 19:42 -------- d-----w- c:\users\Default\AppData\Local\temp
    2014-09-01 19:42 . 2014-09-01 19:42 -------- d-----w- c:\users\crystal\AppData\Local\temp
    2014-09-01 19:42 . 2014-09-01 19:42 -------- d-----w- c:\users\administrator\AppData\Local\temp
    2014-08-30 04:43 . 2014-08-30 04:43 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{74D14E3C-5678-400C-8514-9869B9A2E3D4}\offreg.dll
    2014-08-29 20:35 . 2014-08-29 21:11 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
    2014-08-29 20:34 . 2014-08-29 20:34 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2014-08-29 20:22 . 2014-08-29 20:22 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
    2014-08-29 20:22 . 2014-08-29 20:22 -------- d-----w- c:\programdata\RogueKiller
    2014-08-29 06:09 . 2014-08-21 02:44 8581864 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{74D14E3C-5678-400C-8514-9869B9A2E3D4}\mpengine.dll
    2014-08-28 13:42 . 2014-08-28 13:45 -------- d-----w- C:\FRST
    2014-08-27 17:28 . 2010-08-30 12:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
    2014-08-26 20:12 . 2014-08-26 20:12 -------- d-----w- c:\users\bella\AppData\Roaming\SUPERAntiSpyware.com
    2014-08-26 20:12 . 2014-08-26 20:12 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2014-08-26 18:45 . 2014-08-26 18:45 -------- d-----w- c:\windows\ERUNT
    2014-08-26 18:40 . 2014-08-26 18:41 -------- d-----w- C:\AdwCleaner
    2014-08-26 18:22 . 2014-08-26 18:31 -------- d-----w- C:\TDSSKiller_Quarantine
    2014-08-26 04:48 . 2014-08-26 22:11 -------- d-----w- c:\programdata\OhlapGedce
    2014-08-25 03:56 . 2014-08-26 03:11 -------- d-----w- C:\5a792bb
    2014-08-23 22:30 . 2014-08-23 22:30 -------- d-----w- c:\users\bella\AppData\Local\BrowserWireless
    2014-08-21 04:04 . 2014-06-06 09:44 509440 ----a-w- c:\windows\system32\qedit.dll
    2014-08-17 12:54 . 2014-08-21 02:45 -------- d-----w- c:\users\bella\AppData\Local\ServerAudio
    2014-08-12 19:35 . 2014-08-13 09:45 -------- d--h--w- c:\programdata\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
    2014-08-03 09:11 . 2014-08-03 09:11 -------- d-----w- c:\users\bella\AppData\Roaming\b65b63
    2014-08-03 09:11 . 2014-08-03 15:22 -------- d-----w- c:\users\bella\AppData\Local\b65b63
    2014-08-03 09:10 . 2014-08-04 13:30 -------- d-----w- c:\users\bella\AppData\Local\3328503800
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2014-08-29 07:15 . 2010-06-24 15:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2014-08-26 18:32 . 2010-11-20 21:29 376832 ----a-w- c:\windows\system32\rpcss.dll
    2014-08-05 13:20 . 2011-10-19 21:14 231584 ------w- c:\windows\system32\MpSigStub.exe
    2014-07-19 13:10 . 2011-10-20 14:51 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2014-07-19 13:10 . 2011-10-20 14:51 53064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
    2014-07-19 13:10 . 2011-10-20 14:51 31560 ----a-w- c:\windows\system32\LMIport.dll
    2014-07-19 13:10 . 2011-10-20 14:51 85832 ----a-w- c:\windows\system32\LMIinit.dll
    2014-06-09 13:08 . 2011-10-20 14:51 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
    @="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
    2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
    @="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
    2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
    @="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
    2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
    @="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
    2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ocx"="c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden [Reflection.Assembly]::Load((gp -Path 'hkcu:software\classes\clsid').OCX).GetType('gm.ks').GetMethod('m').Invoke(0" [X]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
    "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-08-16 10820200]
    "NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-04-14 113288]
    "UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-12-15 103720]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
    "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]
    "UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2010-04-20 222504]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-09-01 142616]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-09-01 177432]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-09-01 176408]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
    "PC Meter Connect"="c:\program files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe" [2012-02-07 3514368]
    "SBAMTray"="c:\program files\GFI Software\GFIAgent\SBAMTray.exe" [2012-10-16 3226504]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-21 959904]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Launcher"="c:\program files\SMINST\Launcher.exe" [2010-04-02 237568]
    .
    c:\users\bella\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\bella\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-7-29 36414496]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Users^bella^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
    path=c:\users\bella\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2013-12-21 06:04 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserWireless]
    2014-08-27 13:23 292352 ----a-w- c:\users\bella\AppData\Local\BrowserWireless\BrowserWireless.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBAMTray]
    2012-10-16 20:29 3226504 ----a-w- c:\program files\GFI Software\GFIAgent\SBAMTray.exe
    .
    R1 SASDIFSV;SASDIFSV;c:\users\bella\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
    R1 SASKUTIL;SASKUTIL;c:\users\bella\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
    R3 DM150Drv;DM150Drv;c:\windows\system32\DRIVERS\DM150Drv.sys [2010-07-30 20600]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
    R3 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-10-20 1343400]
    R4 SAAZapsc;SAAZ RMM Agent Presence-SC;c:\progra~1\SAAZOD\zRealTime\SAAZapsc.exe SAAZapsc [x]
    R4 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\SAAZOD\SAAZRemoteSupport.exe [2011-10-19 78664]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
    R4 ZEvtSVC;ZEvtSVC;c:\progra~1\SAAZOD\zSCC\zEvtSVC.exe [2012-11-09 232752]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
    S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-06-29 112800]
    S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2014-07-19 375120]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2013-05-24 13624]
    S2 MBAMScheduler;MBAMScheduler;c:\progra~1\SAAZOD\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]
    S2 MBAMService;MBAMService;c:\progra~1\SAAZOD\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]
    S2 SAAZappr;SAAZ RMM Agent Presence-PR;c:\progra~1\SAAZOD\zRealTime\SAAZappr.exe SAAZappr [x]
    S2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\SAAZOD\SAAZDPMACTL.exe [2011-10-19 86856]
    S2 SAAZScheduler;SAAZScheduler;c:\progra~1\SAAZOD\SAAZScheduler.exe [2011-10-19 77824]
    S2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\SAAZOD\SAAZServerPlus.exe [2009-04-30 77824]
    S2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\SAAZOD\SAAZWatchDog.exe [2011-10-19 86856]
    S2 SBAMSvc;VIPRE Business;c:\program files\GFI Software\GFIAgent\SBAMSvc.exe [2012-10-16 3675976]
    S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2012-08-01 66344]
    S2 SBPIMSvc;SB Recovery Service;c:\program files\GFI Software\GFIAgent\SBPIMSvc.exe [2012-10-16 175496]
    S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-05-04 2656536]
    S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-07-28 45288]
    S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-05-23 43368]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 269824]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 22856]
    S3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-19 41088]
    S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2011-06-10 69504]
    S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2011-06-10 161664]
    S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys [2010-09-17 13408]
    S3 sbwtis;sbwtis;c:\windows\system32\DRIVERS\sbwtis.sys [2012-10-16 75552]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MBAMPROTECTOR
    *Deregistered* - MBAMSwissArmy
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2014-08-30 19:34 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.102\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2014-09-01 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 02:35]
    .
    2014-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2013-10-16 17:50]
    .
    2014-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2013-10-16 17:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
    Trusted Zone: ncjar.com\www
    TCP: DhcpNameServer = 192.168.0.20
    TCP: Interfaces\{C8C75108-648B-43C0-B933-860C92875C7D}: NameServer = 192.168.0.20,8.8.8.8,208.67.222.222
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
    27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
    "{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
    94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
    "{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
    ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
    "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
    b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:a4,03,e1,5a,85,b1,cf,01
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2014-09-01 15:44:28
    ComboFix-quarantined-files.txt 2014-09-01 19:44
    ComboFix2.txt 2014-08-28 14:13
    ComboFix3.txt 2014-08-26 19:26
    .
    Pre-Run: 430,949,556,224 bytes free
    Post-Run: 436,279,566,336 bytes free
    .
    - - End Of File - - 0E28F15C486538E0561E4BCCEE74BE8C
    5C616939100B85E558DA92B899A0FC36
     
     
  12. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    [​IMG]
    Please move Combofix file to proper location - Desktop

    [​IMG] Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Scan button.
    • When the scan has finished click on Clean button.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.

    [​IMG] Please download Farbar Recovery Scan Tool and save it to your Desktop.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please copy and paste it to your reply.
     
  13. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    Is there a particular reason the malware tool file location matters, in this circumstance? The profile you launch it in matters, of course, but I don't think I have run across a time when the launch-from directory matters, so long as the security privileges The purpose of C:\download is that it is an internally-created and -used directory that is excluded from A/V and A/M and granted automatic firewall and router permissions (as needed) so that we can run certain tools on machines without conflict with on-board protection or group policy.

    I can't run the other tests yet. The workstation will be in use during the day, and I'm deployed elsewhere. For now the browser.exe processes have not been coming back, since the rundll32.exe have been killed, so the customer is able to work a normal day. Will get back to after hours tonight.
     
    sdonohue1994 likes this.
  14. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Yes. At the end of our procedure we'll run cleaning tool which will remove all tools we've been using.
    If some tool is not located on your Desktop the cleaning tool won't find it.
     
  15. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Still with me?
     
  16. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    Yes, sorry. I've been having to work around the user's schedule and getting her to not shut down the PC at night, and when I was able to get in on Friday and could start running ADWcleaner, I got locked out in some fashion. Only just got back in the office today, after a morning onsite.

    I'll have to arrange a time when I can get to the PC locally, I think.
     
  17. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Let me know :)
     
  18. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Still with me?
     
  19. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    Couldn't get to the PC locally. On it remotely. Fingers crossed that I don't get locked out. ;-)

    It hasn't been pressing for the user, since I provided a batch file that kills the problem while it's running. Sorry for the lengthy delays.
     
  20. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    Haha... nope! AdwCleaner completely thrashes my remote connection, for some reason, after telling it to perform the cleanup and reboot. (Looks like it knocks out my LMI tools, but does not successfully reboot. Maybe I can script my way around that, too. But not today.)
     
  21. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Let me know...
     
  22. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    At last!


    ---------------------------------------

    # AdwCleaner v3.310 - Report created 16/09/2014 at 16:33:09
    # Updated 12/09/2014 by Xplode
    # Operating System : Windows 7 Professional Service Pack 1 (32 bits)
    # Username : bella - NCJAR-NEX-1011
    # Running from : C:\Users\bella\Desktop\AdwCleaner.exe
    # Option : Clean
    ***** [ Services ] *****

    ***** [ Files / Folders ] *****

    ***** [ Scheduled Tasks ] *****

    ***** [ Shortcuts ] *****

    ***** [ Registry ] *****

    ***** [ Browsers ] *****
    -\\ Internet Explorer v9.0.8112.16545

    -\\ Google Chrome v37.0.2062.120
    [ File : C:\Users\bella\AppData\Local\Google\Chrome\User Data\Default\preferences ]
    Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
    Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
    *************************
    AdwCleaner[R1].txt - [792 octets] - [27/08/2014 13:27:20]
    AdwCleaner[R2].txt - [863 octets] - [28/08/2014 09:27:31]
    AdwCleaner[R3].txt - [1327 octets] - [05/09/2014 17:26:49]
    AdwCleaner[R4].txt - [1242 octets] - [15/09/2014 16:37:27]
    AdwCleaner[R5].txt - [1362 octets] - [16/09/2014 16:32:03]
    AdwCleaner[S1].txt - [547 octets] - [28/08/2014 09:28:54]
    AdwCleaner[S2].txt - [753 octets] - [05/09/2014 17:29:23]
    AdwCleaner[S3].txt - [546 octets] - [15/09/2014 16:39:09]
    AdwCleaner[S4].txt - [1287 octets] - [16/09/2014 16:33:09]
    ########## EOF - U:\AdwCleaner\AdwCleaner[S4].txt - [1347 octets] ##########



    -------------------------------------

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 6.1.5 (09.16.2014:1)
    OS: Windows 7 Professional x86
    Ran by bella on Tue 09/16/2014 at 16:39:58.54
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ~~~ Services
    ~~~ Registry Values
    Suspicious HKCU\..\Run entries found. Trojan:JS/Medfos.B?
    Value Name Type Value Data
    ========================================================================================
    wvxdmfokq REG_SZ rundll32.exe "C:\Users\bella\AppData\Local\CrashDumps\wvxdmfokq.dll",DllRegisterServer

    ~~~ Registry Keys
    ~~~ Files
    ~~~ Folders
    ~~~ Event Viewer Logs were cleared
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Tue 09/16/2014 at 16:42:29.12
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~





    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-09-2014
    Ran by bella (administrator) on NCJAR-NEX-1011 on 16-09-2014 16:48:28
    Running from C:\Users\bella\Desktop
    Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English (United States)
    Internet Explorer Version 9
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
    ==================== Processes (Whitelisted) =================
    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
    (Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
    (LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    (LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\ramaint.exe
    (Malwarebytes Corporation) C:\Program Files\SAAZOD\Malwarebytes' Anti-Malware\mbamscheduler.exe
    (Malwarebytes Corporation) C:\Program Files\SAAZOD\Malwarebytes' Anti-Malware\mbamservice.exe
    (Zenith Infotech Ltd) C:\Program Files\SAAZOD\zRealTime\SAAZappr.exe
    (Zenith Infotech Ltd) C:\Program Files\SAAZOD\SAAZDPMACTL.exe
    (Zenith Infotech Ltd) C:\Program Files\SAAZOD\SAAZScheduler.exe
    (Zenith Infotech Ltd) C:\Program Files\SAAZOD\SAAZServerPlus.exe
    (Zenith Infotech Ltd) C:\Program Files\SAAZOD\SAAZWatchDog.exe
    (GFI Software) C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe
    (Zenith Infotech Ltd) C:\Program Files\SAAZOD\zRealTime\rtHlpDk.exe
    (Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
    (LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeIn.exe
    (Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
    (Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    (Renesas Electronics Corporation) C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
    (CyberLink) C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
    (LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    (Intel Corporation) C:\Windows\System32\igfxtray.exe
    (Intel Corporation) C:\Windows\System32\hkcmd.exe
    (Intel Corporation) C:\Windows\System32\igfxpers.exe
    (Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    (Microsoft Corporation) C:\Program Files\Microsoft IntelliType Pro\itype.exe
    (Pitney Bowes, Inc.) C:\Program Files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe
    (Dropbox, Inc.) C:\Users\bella\AppData\Roaming\Dropbox\bin\Dropbox.exe
    (GFI Software) C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe
    (Continuum Managed Services LLC.) C:\Program Files\SAAZOD\zSCC\zInCCM.exe
    (Continuum Managed Services LLC.) C:\Program Files\SAAZOD\zSCC\zCCM.exe
    (Microsoft Corporation) C:\Windows\System32\UI0Detect.exe
    (GFI Software) C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe
    (Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    (Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    (Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    (Thisisu) C:\Users\bella\Desktop\JRT.exe
    (Microsoft Corporation) C:\Windows\System32\cmd.exe
    (Microsoft Corporation) C:\Windows\System32\WerFault.exe
    (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
    (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
    (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

    ==================== Registry (Whitelisted) ==================
    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
    HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2011-05-20] (Intel Corporation)
    HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [10820200 2011-08-16] (Realtek Semiconductor)
    HKLM\...\Run: [NUSB3MON] => C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2011-04-14] (Renesas Electronics Corporation)
    HKLM\...\Run: [UpdateLBPShortCut] => C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
    HKLM\...\Run: [CLMLServer] => C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe [103720 2009-12-15] (CyberLink)
    HKLM\...\Run: [UpdateP2GoShortCut] => C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
    HKLM\...\Run: [UCam_Menu] => C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [218408 2009-02-17] (CyberLink Corp.)
    HKLM\...\Run: [UpdatePSTShortCut] => C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe [222504 2010-04-20] (CyberLink Corp.)
    HKLM\...\Run: [LogMeIn GUI] => C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [63048 2010-09-17] (LogMeIn, Inc.)
    HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [1821576 2011-08-01] (Microsoft Corporation)
    HKLM\...\Run: [itype] => c:\Program Files\Microsoft IntelliType Pro\itype.exe [1313640 2011-08-10] (Microsoft Corporation)
    HKLM\...\Run: [PC Meter Connect] => C:\Program Files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe [3514368 2012-02-07] (Pitney Bowes, Inc.)
    HKLM\...\Run: [SBAMTray] => C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe [3226504 2012-10-16] (GFI Software)
    HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)
    HKLM\...\RunOnce: [Launcher] => C:\Program Files\SMINST\Launcher.exe [237568 2010-04-02] (soft thinks)
    HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
    HKLM Group Policy restriction on software: C:\Program Files\McAfee <====== ATTENTION
    HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
    HKU\S-1-5-21-336078627-3664855205-978596220-1153\...\Run: [ocx] => C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe [452608 2009-07-13] (Microsoft Corporation)
    HKU\S-1-5-21-336078627-3664855205-978596220-1153\...\Run: [wvxdmfokq] => rundll32.exe "C:\Users\bella\AppData\Local\CrashDumps\wvxdmfokq.dll",DllRegisterServer <===== ATTENTION
    Startup: C:\Users\bella\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> C:\Users\bella\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
    ==================== Internet (Whitelisted) ====================
    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x7B2CC4C8A38ECC01
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
    SearchScopes: HKCU - {214E69C2-1C1F-41A7-B722-788A39E8D635} URL = http://search.yahoo.com/search?fr=mcafee&p={SearchTerms}
    BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
    BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
    Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://control.itsupport247.net/components/swflash.cab
    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=722
    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.20
    Tcpip\..\Interfaces\{C8C75108-648B-43C0-B933-860C92875C7D}: [NameServer] 192.168.0.20,8.8.8.8,208.67.222.222
    FireFox:
    ========
    FF Plugin: @microsoft.com/GENUINE -> disabled No File
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    Chrome:
    =======
    CHR HomePage: Default -> hxxp://www.google.com/
    CHR StartupUrls: Default -> "hxxp://www.google.com/"
    CHR DefaultSearchKeyword: Default -> B82890D073B845E7A9E3D8DCE390C6208FB1A46C2B5FB3FCDCE7359A58E13CDB
    CHR DefaultSearchURL: Default -> CC2E8E2C7188E37081A968209AA2D279D40D1834D1E88663A583F907622A6227
    CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\37.0.2062.120\PepperFlash\pepflashplayer.dll ()
    CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
    CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\37.0.2062.120\ppGoogleNaClPluginChrome.dll ()
    CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\37.0.2062.120\pdf.dll ()
    CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
    CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
    CHR Plugin: (Windows Live™ Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll No File
    CHR CustomProfile: C:\Users\bella\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\bella\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-22]
    CHR Extension: (Google Wallet) - C:\Users\bella\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-16]
    ========================== Services (Whitelisted) =================
    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
    R2 Intel(R) PROSet Monitoring Service; C:\Windows\system32\IProsetMonitor.exe [112800 2011-06-29] (Intel Corporation)
    R2 MBAMScheduler; C:\Program Files\SAAZOD\Malwarebytes' Anti-Malware\mbamscheduler.exe [399432 2012-09-29] (Malwarebytes Corporation)
    R2 MBAMService; C:\Program Files\SAAZOD\Malwarebytes' Anti-Malware\mbamservice.exe [676936 2012-09-29] (Malwarebytes Corporation)
    R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [45568 2012-02-08] (Hewlett-Packard) [File not signed]
    R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [55808 2012-02-08] (Hewlett-Packard) [File not signed]
    R2 SAAZappr; C:\Program Files\SAAZOD\zRealTime\SAAZappr.exe [82760 2011-05-31] (Zenith Infotech Ltd)
    S4 SAAZapsc; C:\Program Files\SAAZOD\zRealTime\SAAZapsc.exe [82760 2011-05-31] (Zenith Infotech Ltd)
    R2 SAAZDPMACTL; C:\Program Files\SAAZOD\SAAZDPMACTL.exe [86856 2011-10-19] (Zenith Infotech Ltd)
    S4 SAAZRemoteSupport; C:\Program Files\SAAZOD\SAAZRemoteSupport.exe [78664 2011-10-19] (Zenith Infotech Ltd)
    R2 SAAZScheduler; C:\Program Files\SAAZOD\SAAZScheduler.exe [77824 2011-10-19] (Zenith Infotech Ltd) [File not signed]
    R2 SAAZServerPlus; C:\Program Files\SAAZOD\SAAZServerPlus.exe [77824 2009-04-30] (Zenith Infotech Ltd) [File not signed]
    R2 SAAZWatchDog; C:\Program Files\SAAZOD\SAAZWatchDog.exe [86856 2011-10-19] (Zenith Infotech Ltd)
    R2 SBAMSvc; C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe [3675976 2012-10-16] (GFI Software)
    R2 SBPIMSvc; C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe [175496 2012-10-16] (GFI Software)
    S4 ZEvtSVC; C:\Program Files\SAAZOD\zSCC\zEvtSVC.exe [232752 2012-11-09] (Continuum Managed Services LLC.)
    S3 McAfee SiteAdvisor Service; c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe [X]
    ==================== Drivers (Whitelisted) ====================
    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
    S3 DM150Drv; C:\Windows\System32\DRIVERS\DM150Drv.sys [20600 2010-07-30] (Pitney Bowes)
    R3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [268968 2011-07-20] (Intel Corporation)
    S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [43368 2013-05-23] (ThreatTrack Security)
    R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2012-09-29] (Malwarebytes Corporation)
    R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)
    R3 nusb3hub; C:\Windows\System32\DRIVERS\nusb3hub.sys [69504 2011-06-10] (Renesas Electronics Corporation)
    R3 nusb3xhc; C:\Windows\System32\DRIVERS\nusb3xhc.sys [161664 2011-06-10] (Renesas Electronics Corporation)
    R3 radpms; C:\Windows\System32\DRIVERS\radpms.sys [13408 2010-09-17] (LogMeIn, Inc.)
    R2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [66344 2012-08-01] (GFI Software)
    R3 sbwtis; C:\Windows\System32\DRIVERS\sbwtis.sys [75552 2012-10-15] (GFI Software)
    S3 catchme; \??\C:\Users\bella\AppData\Local\Temp\catchme.sys [X]
    S4 LMIRfsClientNP; No ImagePath
    S1 SASDIFSV; \??\C:\Users\bella\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [X]
    S1 SASKUTIL; \??\C:\Users\bella\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [X]
    ==================== NetSvcs (Whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

    ==================== One Month Created Files and Folders ========
    (If an entry is included in the fixlist, the file\folder will be moved.)
    2014-09-16 16:48 - 2014-09-16 16:48 - 00014696 _____ () C:\Users\bella\Desktop\FRST.txt
    2014-09-16 16:45 - 2014-09-16 16:48 - 01097728 _____ (Farbar) C:\Users\bella\Desktop\FRST.exe
    2014-09-16 16:42 - 2014-09-16 16:42 - 00000993 _____ () C:\Users\bella\Desktop\JRT.txt
    2014-09-16 16:39 - 2014-09-16 16:39 - 01016035 _____ (Thisisu) C:\Users\bella\Desktop\JRT.exe
    2014-09-16 16:31 - 2014-09-16 16:31 - 05579386 _____ (Swearware) C:\Users\bella\Desktop\ComboFix.exe
    2014-09-16 16:31 - 2014-09-16 16:31 - 01373475 _____ () C:\Users\bella\Desktop\AdwCleaner.exe
    2014-09-16 12:19 - 2014-09-16 12:20 - 00011902 _____ () C:\Users\bella\Documents\Legal Issues with Remax Achievers 9.17.14.xlsx
    2014-09-16 10:44 - 2014-09-16 10:44 - 00006971 _____ () C:\Users\bella\Downloads\registrants_list.csv
    2014-09-16 10:44 - 2014-09-16 10:44 - 00006971 _____ () C:\Users\bella\Downloads\registrants_list (2).csv
    2014-09-16 10:44 - 2014-09-16 10:44 - 00006971 _____ () C:\Users\bella\Downloads\registrants_list (1).csv
    2014-09-11 14:05 - 2014-09-11 14:05 - 00009399 _____ () C:\Users\bella\Documents\CE Roster Template.xlsx
    2014-09-11 13:49 - 2014-09-11 13:49 - 00146352 _____ (Tim Kosse) C:\Users\bella\AppData\Roaming\ezvbho.exe
    2014-09-11 09:13 - 2014-09-16 15:40 - 00015005 _____ () C:\Users\bella\Documents\Cushman and Wakefield Leases 10.5.14.xlsx
    2014-09-11 09:09 - 2014-09-16 15:35 - 00014970 _____ () C:\Users\bella\Documents\Cushman and Wakefield Listing Agmts 10.5.14.xlsx
    2014-09-10 09:21 - 2014-09-10 09:21 - 00000254 _____ () C:\Windows\system32\AgentDWQ.xml
    2014-09-09 15:15 - 2014-09-09 15:15 - 00009615 _____ () C:\Users\bella\Documents\Kids College Schedule Fall 2014.xlsx
    2014-09-09 13:03 - 2014-09-12 16:20 - 00014599 _____ () C:\Users\bella\Documents\Cushman and Wakefield One Day CE9.15.14.xlsx
    2014-09-09 12:25 - 2014-09-09 12:25 - 00027136 _____ () C:\Users\bella\Documents\Salesperson's Roster 9.2.14.xls
    2014-09-09 11:27 - 2014-09-09 11:40 - 00011358 _____ () C:\Users\bella\Documents\KW Livingston Legal Issues 9.10.14.xlsx
    2014-09-09 09:42 - 2014-09-09 09:45 - 00009933 _____ () C:\Users\bella\Documents\Employee emails 9.9.14.xlsx
    2014-09-08 12:26 - 2014-09-09 16:41 - 00013923 _____ () C:\Users\bella\Documents\Realtor Care Day Roster with emails 9.12.14.xlsx
    2014-09-05 10:51 - 2014-09-10 11:25 - 00000000 ____D () C:\Users\bella\AppData\Local\CrashDumps
    2014-09-02 15:08 - 2014-08-29 03:18 - 00000050 _____ () C:\Users\bella\Desktop\errorclear.bat
    2014-09-02 13:38 - 2014-09-02 14:04 - 00010804 _____ () C:\Users\bella\Documents\Salesperson's 9.2.14.xlsx
    2014-09-02 09:28 - 2014-09-01 15:43 - 00000027 _____ () C:\Windows\system32\Drivers\etc\hosts.bak090214092805
    2014-09-01 15:44 - 2014-09-01 15:44 - 00017880 _____ () C:\ComboFix.txt
    2014-08-29 16:35 - 2014-08-29 17:11 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2014-08-29 16:34 - 2014-08-29 16:34 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
    2014-08-29 16:22 - 2014-08-29 16:22 - 00033512 _____ () C:\Windows\system32\Drivers\TrueSight.sys
    2014-08-29 16:22 - 2014-08-29 16:22 - 00000000 ____D () C:\ProgramData\RogueKiller
    2014-08-28 09:42 - 2014-09-16 16:48 - 00000000 ____D () C:\FRST
    2014-08-27 13:28 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\system32\sqlite3.dll
    2014-08-26 16:12 - 2014-08-26 16:12 - 00000000 ____D () C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com
    2014-08-26 16:12 - 2014-08-26 16:12 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
    2014-08-26 14:56 - 2014-09-01 15:44 - 00000000 ____D () C:\Qoobox
    2014-08-26 14:56 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe
    2014-08-26 14:56 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe
    2014-08-26 14:56 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
    2014-08-26 14:56 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
    2014-08-26 14:56 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
    2014-08-26 14:56 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe
    2014-08-26 14:56 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe
    2014-08-26 14:56 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe
    2014-08-26 14:48 - 2014-08-26 15:25 - 00000000 ____D () C:\Windows\erdnt
    2014-08-26 14:45 - 2014-08-26 14:45 - 00000000 ____D () C:\Windows\ERUNT
    2014-08-26 14:40 - 2014-08-26 14:41 - 00000000 ____D () C:\AdwCleaner
    2014-08-26 14:22 - 2014-08-26 14:31 - 00000000 ____D () C:\TDSSKiller_Quarantine
    2014-08-26 00:48 - 2014-08-26 18:11 - 00000000 ____D () C:\ProgramData\OhlapGedce
    2014-08-24 23:56 - 2014-08-25 23:11 - 00000000 ____D () C:\5a792bb
    2014-08-24 01:14 - 2014-08-24 01:14 - 345088437 _____ () C:\Windows\MEMORY.DMP
    2014-08-23 18:30 - 2014-08-23 18:30 - 00000000 ____D () C:\Users\bella\AppData\Local\BrowserWireless
    2014-08-21 00:04 - 2014-06-06 05:44 - 00509440 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
    2014-08-21 00:03 - 2014-06-17 21:51 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\osk.exe
    2014-08-21 00:03 - 2014-06-17 20:52 - 02350080 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
    2014-08-21 00:03 - 2014-06-05 10:26 - 01059840 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
    2014-08-21 00:03 - 2014-05-30 02:36 - 00338944 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
    2014-08-17 08:54 - 2014-08-20 22:45 - 00000000 ____D () C:\Users\bella\AppData\Local\ServerAudio
    ==================== One Month Modified Files and Folders =======
    (If an entry is included in the fixlist, the file\folder will be moved.)
    2014-09-16 16:48 - 2014-09-16 16:48 - 00014696 _____ () C:\Users\bella\Desktop\FRST.txt
    2014-09-16 16:48 - 2014-09-16 16:45 - 01097728 _____ (Farbar) C:\Users\bella\Desktop\FRST.exe
    2014-09-16 16:48 - 2014-08-28 09:42 - 00000000 ____D () C:\FRST
    2014-09-16 16:42 - 2014-09-16 16:42 - 00000993 _____ () C:\Users\bella\Desktop\JRT.txt
    2014-09-16 16:42 - 2012-04-17 09:03 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
    2014-09-16 16:41 - 2009-07-14 00:34 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2014-09-16 16:41 - 2009-07-14 00:34 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2014-09-16 16:39 - 2014-09-16 16:39 - 01016035 _____ (Thisisu) C:\Users\bella\Desktop\JRT.exe
    2014-09-16 16:38 - 2011-10-19 17:39 - 00000000 ____D () C:\Program Files\SAAZOD
    2014-09-16 16:36 - 2014-05-15 11:13 - 00000000 ___RD () C:\Users\bella\Dropbox
    2014-09-16 16:36 - 2014-05-15 11:12 - 00000000 ____D () C:\Users\bella\AppData\Roaming\Dropbox
    2014-09-16 16:35 - 2013-10-16 13:50 - 00000880 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2014-09-16 16:34 - 2014-01-22 10:14 - 00000964 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
    2014-09-16 16:34 - 2013-10-16 13:50 - 00000884 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2014-09-16 16:34 - 2011-10-17 08:56 - 01432020 _____ () C:\Windows\WindowsUpdate.log
    2014-09-16 16:33 - 2011-10-19 17:05 - 00000136 _____ () C:\Windows\system32\config\netlogon.ftl
    2014-09-16 16:33 - 2010-11-20 17:48 - 00119844 _____ () C:\Windows\PFRO.log
    2014-09-16 16:33 - 2009-07-14 00:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2014-09-16 16:33 - 2009-07-14 00:39 - 00061506 _____ () C:\Windows\setupact.log
    2014-09-16 16:31 - 2014-09-16 16:31 - 05579386 _____ (Swearware) C:\Users\bella\Desktop\ComboFix.exe
    2014-09-16 16:31 - 2014-09-16 16:31 - 01373475 _____ () C:\Users\bella\Desktop\AdwCleaner.exe
    2014-09-16 15:40 - 2014-09-11 09:13 - 00015005 _____ () C:\Users\bella\Documents\Cushman and Wakefield Leases 10.5.14.xlsx
    2014-09-16 15:35 - 2014-09-11 09:09 - 00014970 _____ () C:\Users\bella\Documents\Cushman and Wakefield Listing Agmts 10.5.14.xlsx
    2014-09-16 13:22 - 2011-10-20 22:20 - 00000000 ____D () C:\Users\bella\Documents\Outlook Files
    2014-09-16 12:20 - 2014-09-16 12:19 - 00011902 _____ () C:\Users\bella\Documents\Legal Issues with Remax Achievers 9.17.14.xlsx
    2014-09-16 10:44 - 2014-09-16 10:44 - 00006971 _____ () C:\Users\bella\Downloads\registrants_list.csv
    2014-09-16 10:44 - 2014-09-16 10:44 - 00006971 _____ () C:\Users\bella\Downloads\registrants_list (2).csv
    2014-09-16 10:44 - 2014-09-16 10:44 - 00006971 _____ () C:\Users\bella\Downloads\registrants_list (1).csv
    2014-09-16 09:04 - 2011-10-20 10:51 - 00000000 ____D () C:\ProgramData\LogMeIn
    2014-09-15 16:36 - 2011-12-09 12:10 - 00000000 ____D () C:\download
    2014-09-15 00:12 - 2011-10-19 17:42 - 00002269 _____ () C:\Windows\system32\ipstuffNew.txt
    2014-09-13 22:25 - 2014-03-14 09:20 - 00000000 ____D () C:\Users\bella\AppData\Local\Apps\2.0
    2014-09-13 22:25 - 2012-09-25 15:24 - 00000000 ____D () C:\ProgramData\Pitney Bowes
    2014-09-13 22:25 - 2011-10-28 14:49 - 00000000 ____D () C:\Users\bella\AppData\Local\Google
    2014-09-13 22:25 - 2011-10-20 10:52 - 00000000 ____D () C:\XFER
    2014-09-13 22:25 - 2011-10-19 17:50 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
    2014-09-13 22:25 - 2011-10-19 17:09 - 00000000 ____D () C:\Users\administrator\AppData\Local\Power2Go
    2014-09-13 22:25 - 2011-10-19 17:09 - 00000000 ____D () C:\Users\administrator
    2014-09-13 22:24 - 2011-10-20 22:16 - 00000000 ____D () C:\Old User Accounts
    2014-09-13 22:24 - 2011-10-17 08:59 - 00000000 ____D () C:\net_drvs
    2014-09-13 22:23 - 2012-01-24 16:41 - 00000000 ____D () C:\bizhub 601
    2014-09-12 16:20 - 2014-09-09 13:03 - 00014599 _____ () C:\Users\bella\Documents\Cushman and Wakefield One Day CE9.15.14.xlsx
    2014-09-11 14:05 - 2014-09-11 14:05 - 00009399 _____ () C:\Users\bella\Documents\CE Roster Template.xlsx
    2014-09-11 13:49 - 2014-09-11 13:49 - 00146352 _____ (Tim Kosse) C:\Users\bella\AppData\Roaming\ezvbho.exe
    2014-09-11 00:18 - 2011-10-20 22:22 - 00000000 ____D () C:\Users\bella\AppData\Local\Windows Live Writer
    2014-09-10 11:37 - 2013-10-16 13:50 - 00002135 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
    2014-09-10 11:25 - 2014-09-05 10:51 - 00000000 ____D () C:\Users\bella\AppData\Local\CrashDumps
    2014-09-10 09:21 - 2014-09-10 09:21 - 00000254 _____ () C:\Windows\system32\AgentDWQ.xml
    2014-09-10 09:21 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\Web
    2014-09-09 16:41 - 2014-09-08 12:26 - 00013923 _____ () C:\Users\bella\Documents\Realtor Care Day Roster with emails 9.12.14.xlsx
    2014-09-09 15:15 - 2014-09-09 15:15 - 00009615 _____ () C:\Users\bella\Documents\Kids College Schedule Fall 2014.xlsx
    2014-09-09 12:25 - 2014-09-09 12:25 - 00027136 _____ () C:\Users\bella\Documents\Salesperson's Roster 9.2.14.xls
    2014-09-09 11:40 - 2014-09-09 11:27 - 00011358 _____ () C:\Users\bella\Documents\KW Livingston Legal Issues 9.10.14.xlsx
    2014-09-09 09:45 - 2014-09-09 09:42 - 00009933 _____ () C:\Users\bella\Documents\Employee emails 9.9.14.xlsx
    2014-09-08 19:20 - 2013-10-16 13:50 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
    2014-09-08 19:20 - 2011-10-28 14:50 - 00000000 ____D () C:\Program Files\Common Files\Adobe
    2014-09-08 09:15 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\LiveKernelReports
    2014-09-05 11:34 - 2013-10-16 15:25 - 00223744 _____ () C:\Users\bella\Documents\2014 Volunteer Pool.xls
    2014-09-02 14:04 - 2014-09-02 13:38 - 00010804 _____ () C:\Users\bella\Documents\Salesperson's 9.2.14.xlsx
    2014-09-01 15:44 - 2014-09-01 15:44 - 00017880 _____ () C:\ComboFix.txt
    2014-09-01 15:44 - 2014-08-26 14:56 - 00000000 ____D () C:\Qoobox
    2014-09-01 15:43 - 2014-09-02 09:28 - 00000027 _____ () C:\Windows\system32\Drivers\etc\hosts.bak090214092805
    2014-09-01 15:43 - 2009-07-13 22:04 - 00000215 _____ () C:\Windows\system.ini
    2014-08-29 17:11 - 2014-08-29 16:35 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2014-08-29 16:34 - 2014-08-29 16:34 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
    2014-08-29 16:22 - 2014-08-29 16:22 - 00033512 _____ () C:\Windows\system32\Drivers\TrueSight.sys
    2014-08-29 16:22 - 2014-08-29 16:22 - 00000000 ____D () C:\ProgramData\RogueKiller
    2014-08-29 03:18 - 2014-09-02 15:08 - 00000050 _____ () C:\Users\bella\Desktop\errorclear.bat
    2014-08-28 09:36 - 2009-07-14 00:53 - 00032612 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
    2014-08-27 09:19 - 2011-10-28 14:49 - 00000000 ____D () C:\Program Files\Google
    2014-08-27 09:19 - 2011-04-27 14:30 - 00000000 ____D () C:\Windows\options
    2014-08-27 09:19 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\PLA
    2014-08-26 18:11 - 2014-08-26 00:48 - 00000000 ____D () C:\ProgramData\OhlapGedce
    2014-08-26 16:12 - 2014-08-26 16:12 - 00000000 ____D () C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com
    2014-08-26 16:12 - 2014-08-26 16:12 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
    2014-08-26 16:08 - 2011-10-28 14:49 - 00000000 ____D () C:\ProgramData\Google
    2014-08-26 15:26 - 2009-07-13 22:37 - 00000000 __RHD () C:\Users\Default
    2014-08-26 15:26 - 2009-07-13 22:37 - 00000000 ___RD () C:\Users\Public
    2014-08-26 15:25 - 2014-08-26 14:48 - 00000000 ____D () C:\Windows\erdnt
    2014-08-26 14:45 - 2014-08-26 14:45 - 00000000 ____D () C:\Windows\ERUNT
    2014-08-26 14:41 - 2014-08-26 14:40 - 00000000 ____D () C:\AdwCleaner
    2014-08-26 14:32 - 2010-11-20 17:29 - 00376832 _____ (Microsoft Corporation) C:\Windows\system32\rpcss.dll
    2014-08-26 14:31 - 2014-08-26 14:22 - 00000000 ____D () C:\TDSSKiller_Quarantine
    2014-08-26 14:09 - 2014-04-09 12:41 - 00000074 _____ () C:\Windows\system32\xtzdkwb.yim
    2014-08-26 14:04 - 2014-08-08 04:28 - 00039936 _____ () C:\Windows\system32\ecmnmao.jfy
    2014-08-26 14:04 - 2014-04-09 12:31 - 00000320 _____ () C:\Windows\system32\fpfsohh.suz
    2014-08-25 23:12 - 2011-10-17 08:52 - 00000000 ____D () C:\Windows\CSC
    2014-08-25 23:12 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\Resources
    2014-08-25 23:11 - 2014-08-24 23:56 - 00000000 ____D () C:\5a792bb
    2014-08-24 23:56 - 2011-10-17 08:57 - 00000280 _____ () C:\ver.txt
    2014-08-24 23:56 - 2011-04-27 17:54 - 00008728 __RSH () C:\BOOTSECT.BAK
    2014-08-24 01:52 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\rescache
    2014-08-24 01:15 - 2009-07-14 00:33 - 00363064 _____ () C:\Windows\system32\FNTCACHE.DAT
    2014-08-24 01:14 - 2014-08-24 01:14 - 345088437 _____ () C:\Windows\MEMORY.DMP
    2014-08-24 01:14 - 2011-10-17 04:51 - 00000000 ____D () C:\Windows\I386
    2014-08-24 01:14 - 2010-11-20 20:47 - 00000000 ____D () C:\Program Files\Windows Journal
    2014-08-24 01:14 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\AppCompat
    2014-08-23 18:30 - 2014-08-23 18:30 - 00000000 ____D () C:\Users\bella\AppData\Local\BrowserWireless
    2014-08-20 22:45 - 2014-08-17 08:54 - 00000000 ____D () C:\Users\bella\AppData\Local\ServerAudio
    2014-08-20 09:04 - 2009-07-13 22:37 - 00000000 __RSD () C:\Windows\Media
    2014-08-18 09:12 - 2009-07-14 00:52 - 00000000 ____D () C:\Windows\twain_32
    Some content of TEMP:
    ====================
    C:\Users\bella\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmppmchf8.dll
    C:\Users\bella\AppData\Local\Temp\Quarantine.exe

    ==================== Bamital & volsnap Check =================
    (There is no automatic fix for files that do not pass verification.)
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\system32\winlogon.exe => File is digitally signed
    C:\Windows\system32\wininit.exe => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\system32\services.exe => File is digitally signed
    C:\Windows\system32\User32.dll => File is digitally signed
    C:\Windows\system32\userinit.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed
    C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

    LastRegBack: 2014-09-16 14:11
    ==================== End Of Log ============================
     
  23. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Still waiting for Addition.txt log.
     
  24. Eric Witzling

    Eric Witzling TS Rookie Topic Starter Posts: 96

    Sorry, for some reason that one was not produced this time. I thought it might not need, but maybe it knew the tool had been run previously on that machine. I have an addition.txt from the 28th (before I started this ticket) that I will include below. Will you need me to clear things aside enough to run current one?

    ----------------------------------

    Additional scan result of Farbar Recovery Scan Tool (x86) Version:26-08-2014
    Ran by bella at 2014-08-28 09:44:36
    Running from C:\download
    Boot Mode: Normal
    ==========================================================

    ==================== Security Center ========================
    (If an entry is included in the fixlist, it will be removed.)
    AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    ==================== Installed Programs ======================
    (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
    32 Bit HP CIO Components Installer (Version: 13.1.1 - Hewlett-Packard) Hidden
    Adobe AIR (HKLM\...\Adobe AIR) (Version: 3.9.0.1380 - Adobe Systems Incorporated)
    Adobe AIR (Version: 3.9.0.1380 - Adobe Systems Incorporated) Hidden
    Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.9.900.170 - Adobe Systems Incorporated)
    Adobe Reader XI (11.0.07) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
    Avery Wizard 4.0 (HKLM\...\{7196E6BD-4B65-43F9-9D30-73A8E58D0E84}) (Version: 4.0.103 - Avery)
    D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
    Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{28857979-5507-4C10-A922-FF709A19D38C}) (Version: - Microsoft)
    Dropbox (HKCU\...\Dropbox) (Version: 2.10.27 - Dropbox, Inc.)
    FileMaker Pro 8.5 (HKLM\...\{34F3877C-6399-4A89-98FD-C3FE32EEE25C}) (Version: 8.5.2.0 - FileMaker, Inc.)
    GFI Business Agent (HKLM\...\{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}) (Version: 6.0.5481 - GFI Software)
    GFI Business Agent (Version: 6.0.5481 - GFI Software) Hidden
    Google Chrome (HKLM\...\Google Chrome) (Version: 37.0.2062.94 - Google Inc.)
    Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
    Intel(R) Control Center (HKLM\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
    Intel(R) Management Engine Components (HKLM\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
    Intel(R) Network Connections 16.5.2.0 (HKLM\...\PROSetDX) (Version: 16.5.2.0 - Intel)
    Intel(R) Network Connections 16.5.2.0 (Version: 16.5.2.0 - Intel) Hidden
    Intel(R) Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2476 - Intel Corporation)
    Intel(R) Rapid Storage Technology (HKLM\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.6.0.1002 - Intel Corporation)
    ITSupport247-DPMA (HKLM\...\SAAZOD) (Version: 5.2.4 - Continuum Managed Services LLC)
    Junk Mail filter update (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    KONICA MINOLTA bizhub 751/601 (HKLM\...\KONICA MINOLTA bizhub 751/601 Installer) (Version: - KONICA MINOLTA)
    LG CyberLink LabelPrint (HKLM\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.2111 - CyberLink Corp.)
    LG CyberLink LabelPrint (Version: 2.5.2111 - CyberLink Corp.) Hidden
    LG CyberLink Power2Go (HKLM\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.2.4009 - CyberLink Corp.)
    LG CyberLink Power2Go (Version: 6.2.4009 - CyberLink Corp.) Hidden
    LG CyberLink PowerBackup (HKLM\...\{ADD5DB49-72CF-11D8-9D75-000129760D75}) (Version: 2.5.5529 - CyberLink Corp.)
    LG CyberLink YouCam (HKLM\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 2.0.3304a - CyberLink Corp.)
    LG CyberLink YouCam (Version: 2.0.3304a - CyberLink Corp.) Hidden
    LG Power Tools (HKLM\...\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 6.0.3316 - CyberLink Corp.)
    LG Power Tools (Version: 6.0.3316 - CyberLink Corp.) Hidden
    LogMeIn (HKLM\...\{D3AE96EE-2876-4B3F-847C-D3A4AD689E43}) (Version: 4.1.1578 - LogMeIn, Inc.)
    Malwarebytes Anti-Malware version 1.65.1.1000 (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: 1.65.1.1000 - Malwarebytes Corporation)
    Mesh Runtime (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
    Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
    Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
    Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden
    Microsoft IntelliPoint 8.2 (HKLM\...\Microsoft IntelliPoint 8.2) (Version: 8.20.468.0 - Microsoft Corporation)
    Microsoft IntelliPoint 8.2 (Version: 8.20.468.0 - Microsoft Corporation) Hidden
    Microsoft IntelliType Pro 8.2 (HKLM\...\Microsoft IntelliType Pro 8.2) (Version: 8.20.469.0 - Microsoft Corporation)
    Microsoft IntelliType Pro 8.2 (Version: 8.20.469.0 - Microsoft Corporation) Hidden
    Microsoft Office 2010 Service Pack 1 (SP1) (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version: - Microsoft)
    Microsoft Office 2010 Service Pack 1 (SP1) (Version: - Microsoft) Hidden
    Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
    Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
    Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
    Microsoft Office Home and Business 2010 (HKLM\...\Office14.SingleImage) (Version: 14.0.6029.1000 - Microsoft Corporation)
    Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
    Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
    Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
    Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
    Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
    Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
    Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
    Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
    Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
    Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
    Microsoft Office Single Image 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
    Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
    Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
    Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
    Microsoft XML Parser (Version: 8.70.1104.04 - Microsoft Corporation) Hidden
    MSVCRT (Version: 15.4.2862.0708 - Microsoft) Hidden
    MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
    MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
    MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
    Nexlink Recovery Center (HKLM\...\{0F9B474C-B65A-427E-A3A6-9B7460ED14D9}) (Version: 1.2.21 - SoftThinks)
    PC Meter Connect (HKLM\...\{D39BAE47-1B85-41F6-9348-44E965009B56}) (Version: 05.00.0056.0000 - Pitney Bowes)
    Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6438 - Realtek Semiconductor Corp.)
    Renesas Electronics USB 3.0 Host Controller Driver (HKLM\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.1.19.0 - Renesas Electronics Corporation)
    Renesas Electronics USB 3.0 Host Controller Driver (Version: 2.1.19.0 - Renesas Electronics Corporation) Hidden
    ShopAtHome.com Helper (HKLM\...\ShopAtHome.com Helper) (Version: 7.0.2.1 - ShopAtHome.com)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2468871) (Version: 1 - Microsoft Corporation)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2533523) (Version: 1 - Microsoft Corporation)
    Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B4A38370-2ADB-46B0-A1B0-0C4A2F7DCA31}) (Version: - Microsoft)
    Update for Microsoft Excel 2010 (KB2837600) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{4ACD847E-547D-493F-9A86-F73EAE1B5174}) (Version: - Microsoft)
    Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{302A8FE3-EBF5-486C-A431-16A1CD914443}) (Version: - Microsoft)
    Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{18B3CF2A-73F7-4716-B1AE-86D68726D408}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition (HKLM\...\{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{73E67A3A-8D61-44EF-90C2-1697C3DBE668}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2566458) (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{EFB525A0-E1C0-4E32-9968-FE401BC87363}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DADF7E25-FFA4-4D02-BE84-1DAE62C18516}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{287A1E92-9E41-4BC1-8920-B3D0E9220800}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{ED31DE9A-3E13-4E2C-9106-E0D8AFFB9FA6}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{9D69691D-823D-4C3E-9B12-563A3F520366}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{5AA578BB-759C-40FD-9661-A737C0884541}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F1A20C69-9FE5-40FD-9CD5-84EABC2EF64A}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2837581) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{334FB202-28D7-4BA4-8BC9-4FE4AB233EA0}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2837606) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B0D672F7-883E-4279-8E75-D97A5445AB46}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2878252) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B0DB9F71-E0F7-4FE6-8925-35B860CAC0C4}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition (HKLM\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{C0BDC1DE-C35E-422B-8CBD-C1D555468720}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition (HKLM\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{089DBFD7-8211-43B2-AAAE-5BDD8C23E3A8}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition (HKLM\...\{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{794A0574-4E2F-4D58-B2A0-D7460ACDC85C}) (Version: - Microsoft)
    Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition (HKLM\...\{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{9865DC3A-2898-48D9-B96A-46397571C934}) (Version: - Microsoft)
    Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version: - Microsoft)
    Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{DCE104A1-1875-4469-A83D-A5BFA6C4640F}) (Version: - Microsoft)
    Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version: - Microsoft)
    Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition (HKLM\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{1EEFF749-6F29-4F0B-AB08-4C6EA52AA110}) (Version: - Microsoft)
    Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{BC6DFBFD-16DD-47E1-A7EF-2C062930FA4F}) (Version: - Microsoft)
    Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM\...\{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{334AA0A1-2BB1-4D74-B66A-2B2C4D9C2C87}) (Version: - Microsoft)
    Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{2BA40F82-F3A4-441C-BF1A-ED4C42FF4872}) (Version: - Microsoft)
    Update for Microsoft Visio 2010 (KB2880526) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{7B29D8B8-6A87-496C-A65E-B935E740448A}) (Version: - Microsoft)
    Update for Microsoft Visio Viewer 2010 (KB2837587) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{38CF30E4-3348-4BD1-A859-B630C355A56F}) (Version: - Microsoft)
    Update for Microsoft Word 2010 (KB2880529) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B9B89E01-5B6B-4F73-BC34-B2C0D8ACB4CD}) (Version: - Microsoft)
    Windows Driver Package - Pitney Bowes (DM150Drv) USB (07/04/2010 2.0.1.5) (HKLM\...\BD561D5D94E7AFC181BE8A098D2EC2B90BD07068) (Version: 07/04/2010 2.0.1.5 - Pitney Bowes)
    Windows Live Communications Platform (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 15.4.3502.0922 - Microsoft Corporation)
    Windows Live Essentials (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live ID Sign-in Assistant (Version: 7.250.4225.0 - Microsoft Corporation) Hidden
    Windows Live Installer (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live Mail (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live Mesh (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live Mesh ActiveX Control for Remote Connections (HKLM\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
    Windows Live Messenger (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live Movie Maker (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live Photo Common (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live Photo Gallery (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live PIMT Platform (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live Remote Client (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
    Windows Live Remote Client Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
    Windows Live Remote Service (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
    Windows Live Remote Service Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
    Windows Live SOXE (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live SOXE Definitions (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live UX Platform (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live UX Platform Language Pack (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live Writer (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    Windows Live Writer Resources (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
    ==================== Custom CLSID (selected items): ==========================
    (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
    CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
    CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
    CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
    CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
    CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
    CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
    CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
    CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
    CustomCLSID: HKU\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
    ==================== Restore Points =========================
    18-07-2014 09:44:15 Windows Update
    22-07-2014 01:42:48 Windows Update
    22-07-2014 01:43:44 Windows Update
    22-07-2014 01:44:01 Windows Update
    22-07-2014 01:44:27 Windows Update
    22-07-2014 01:44:52 Windows Update
    26-08-2014 23:24:00 Scheduled Checkpoint
    28-08-2014 09:13:55 Windows Update
    ==================== Hosts content: ==========================
    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)
    2009-07-13 22:04 - 2014-08-26 15:25 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
    127.0.0.1 localhost
    ==================== Scheduled Tasks (whitelisted) =============
    (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
    Task: {5D54E216-E864-4658-AD76-A9E3104F645E} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-27] (Adobe Systems Incorporated)
    Task: {71BD2A95-2994-463C-B265-733BFB1ACF9B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-10-16] (Google Inc.)
    Task: {7842BDB0-3EF8-4C9D-AC97-ACFD9C3D24D9} - System32\Tasks\{EA7BDE4B-E79B-9AE7-C48B-6A7290BB8BDF} => C:\Windows\system32\bwjbt.dll/s "C:\Windows\system32\bwjbt.dll"
    Task: {86F63824-521F-4B32-A196-C881D5D820F3} - System32\Tasks\{EEB24AC8-CECD-565F-1D17-BB284BABA67C} => C:\Windows\system32\vihsfy.dll/s "C:\Windows\system32\vihsfy.dll"
    Task: {882EFFD9-D52E-4618-BA3E-A48DDA9DF907} - System32\Tasks\{7FD23C53-AA66-5637-7E1F-90D46F9A62AB} => C:\Windows\system32\lkzat.dll/s "C:\Windows\system32\lkzat.dll"
    Task: {90EF2650-2607-42A9-A58D-2F663806107C} - System32\Tasks\{0B93B45D-6E75-45C5-BF74-94C9A1B57C5D} => C:\Program Files\FileMaker\FileMaker Pro 8.5\FileMaker Pro.exe [2007-02-13] (FileMaker, Inc.)
    Task: {9400D8DC-981F-41FA-AB9B-6563A8803675} - System32\Tasks\{7FD45665-85EA-8066-EE79-5FA9A3F7CE2E} => C:\Windows\system32\nfxmxrz.dll/s "C:\Windows\system32\nfxmxrz.dll"
    Task: {ACE5A76B-0FEB-40D7-AB3B-471C39A8E724} - System32\Tasks\Microsoft_Hardware_Launch_IType_exe => c:\Program Files\Microsoft IntelliType Pro\IType.exe [2011-08-10] (Microsoft Corporation)
    Task: {B474333C-CBF6-4495-A845-1A0485E458A8} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-10-16] (Google Inc.)
    Task: {BF267A3F-37C3-4562-9B9C-7A6716F5B842} - System32\Tasks\Microsoft_Hardware_Launch_IPoint_exe => c:\Program Files\Microsoft IntelliPoint\IPoint.exe [2011-08-01] (Microsoft Corporation)
    Task: {E9626A09-0716-4133-9EF9-088C9EA46DA6} - System32\Tasks\{E064ED84-AD37-CF9C-9AF8-5214DAA12C73} => C:\Windows\system32\qywcwk.dll/s "C:\Windows\system32\qywcwk.dll"
    Task: {F4DCB859-DA48-40EE-9001-B5AFDF2CC19B} - System32\Tasks\{2418D788-DCD6-326A-E4C6-FACCA1838469} => C:\Windows\system32\cxelqm.dll/s "C:\Windows\system32\cxelqm.dll"
    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
    Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
    Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
    ==================== Loaded Modules (whitelisted) =============
    2009-10-02 00:07 - 2012-01-24 16:41 - 00011264 _____ () C:\Windows\System32\KOBZFS_L.dll
    2009-10-02 00:07 - 2012-01-24 16:42 - 00011264 _____ () C:\Windows\System32\KOBZFA_L.dll
    2009-10-02 00:07 - 2012-01-24 16:42 - 00011264 _____ () C:\Windows\System32\KOBZFW_L.DLL
    2012-02-20 23:26 - 2012-02-20 23:26 - 00160768 _____ () C:\Program Files\GFI Software\GFIAgent\unrar.dll
    2009-12-15 13:46 - 2009-12-15 13:46 - 00619816 ____N () C:\Program Files\CyberLink\Power2Go\CLMediaLibrary.dll
    2009-12-15 13:49 - 2009-12-15 13:49 - 00013096 ____N () C:\Program Files\CyberLink\Power2Go\CLMLSvcPS.dll
    2011-10-17 04:38 - 2011-08-09 07:44 - 00094208 _____ () C:\Windows\System32\IccLibDll.dll
    2014-08-28 09:37 - 2014-08-28 09:37 - 00043008 _____ () c:\users\bella\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpg00pge.dll
    2013-08-23 15:01 - 2013-08-23 15:01 - 25100288 _____ () C:\Users\bella\AppData\Roaming\Dropbox\bin\libcef.dll
    2012-12-04 23:49 - 2014-06-20 06:08 - 00192376 _____ () C:\Program Files\GFI Software\GFIAgent\Definitions\libBase64.dll
    2012-12-04 23:49 - 2014-06-20 06:08 - 00180088 _____ () C:\Program Files\GFI Software\GFIAgent\Definitions\libMachoUniv.dll
    2014-08-27 13:56 - 2014-08-27 13:56 - 00718152 _____ () C:\Users\bella\AppData\LocalLow\CottonVisual\ReceiverBeerware\36.0.1985.143\libglesv2.dll
    2014-08-27 13:56 - 2014-08-27 13:56 - 00126280 _____ () C:\Users\bella\AppData\LocalLow\CottonVisual\ReceiverBeerware\36.0.1985.143\libegl.dll
    2014-08-27 13:56 - 2014-08-27 13:56 - 08537928 _____ () C:\Users\bella\AppData\LocalLow\CottonVisual\ReceiverBeerware\36.0.1985.143\pdf.dll
    2014-08-27 13:56 - 2014-08-27 13:56 - 00353096 _____ () C:\Users\bella\AppData\LocalLow\CottonVisual\ReceiverBeerware\36.0.1985.143\ppGoogleNaClPluginChrome.dll
    2014-08-27 13:56 - 2014-08-27 13:56 - 01732936 _____ () C:\Users\bella\AppData\LocalLow\CottonVisual\ReceiverBeerware\36.0.1985.143\ffmpegsumo.dll
    2014-08-27 13:56 - 2014-08-27 13:56 - 14669128 _____ () C:\Users\bella\AppData\LocalLow\CottonVisual\ReceiverBeerware\36.0.1985.143\PepperFlash\pepflashplayer.dll
    2013-09-20 22:08 - 2013-09-20 22:08 - 00172544 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\f74734b086803d04e7f573d7853cfc8a\IsdiInterop.ni.dll
    2011-10-17 08:58 - 2011-05-20 10:05 - 00059904 _____ () C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll
    2014-08-27 17:37 - 2014-08-19 18:16 - 01098056 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.94\libglesv2.dll
    2014-08-27 17:37 - 2014-08-19 18:16 - 00174408 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.94\libegl.dll
    2014-08-27 17:37 - 2014-08-19 18:16 - 08577864 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.94\pdf.dll
    2014-08-27 17:37 - 2014-08-19 18:16 - 00331592 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.94\ppGoogleNaClPluginChrome.dll
    2014-08-27 17:37 - 2014-08-19 18:16 - 01660232 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.94\ffmpegsumo.dll
    2014-08-27 17:37 - 2014-08-19 18:16 - 14669128 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.94\PepperFlash\pepflashplayer.dll
    ==================== Alternate Data Streams (whitelisted) =========
    (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

    ==================== Safe Mode (whitelisted) ===================
    (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZappr => "imagepath"=""C:\PROGRA~1\SAAZOD\zRealTime\SAAZappr.exe" SAAZappr"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZappr => "ObjectName"="LocalSystem"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZappr => "Start"="2"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZappr => "type"="110"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZapsc => "imagepath"=""C:\PROGRA~1\SAAZOD\zRealTime\SAAZapsc.exe" SAAZapsc"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZapsc => "ObjectName"="LocalSystem"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZapsc => "Start"="2"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZapsc => "type"="110"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBAMSvc => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBPIMSvc => ""="Service"
    ==================== EXE Association (whitelisted) =============
    (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

    ==================== MSCONFIG/TASK MANAGER disabled items =========
    (Currently there is no automatic fix for this section.)
    MSCONFIG\Services: SBAMSvc => 2
    MSCONFIG\Services: SBPIMSvc => 2
    MSCONFIG\startupfolder: C:^Users^bella^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk => C:\Windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
    MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    MSCONFIG\startupreg: BrowserWireless => C:\Windows\system32\rundll32.exe "C:\Users\bella\AppData\Local\BrowserWireless\BrowserWireless.dll",DllRegisterServer
    MSCONFIG\startupreg: SBAMTray => "C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe"
    MSCONFIG\startupreg: swg => "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    ==================== Faulty Device Manager Devices =============
    Name: SASDIFSV
    Description: SASDIFSV
    Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Manufacturer:
    Service: SASDIFSV
    Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
    Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
    Devices stay in this state if they have been prepared for removal.
    After you remove the device, this error disappears.Remove the device, and this error should be resolved.
    Name: SASKUTIL
    Description: SASKUTIL
    Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Manufacturer:
    Service: SASKUTIL
    Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
    Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
    Devices stay in this state if they have been prepared for removal.
    After you remove the device, this error disappears.Remove the device, and this error should be resolved.
    Name: Unknown Device
    Description: Unknown Device
    Class Guid: {36fc9e60-c465-11cf-8056-444553540000}
    Manufacturer: (Standard USB Host Controller)
    Service:
    Problem: : Windows has stopped this device because it has reported problems. (Code 43)
    Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.

    ==================== Event log errors: =========================
    Application errors:
    ==================
    Error: (08/28/2014 00:33:33 AM) (Source: SideBySide) (EventID: 33) (User: )
    Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
    Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
    Please use sxstrace.exe for detailed diagnosis.
    Error: (08/28/2014 00:31:19 AM) (Source: SideBySide) (EventID: 33) (User: )
    Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
    Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
    Please use sxstrace.exe for detailed diagnosis.
    Error: (08/28/2014 00:30:14 AM) (Source: SideBySide) (EventID: 33) (User: )
    Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
    Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
    Please use sxstrace.exe for detailed diagnosis.
    Error: (08/27/2014 00:32:49 AM) (Source: SideBySide) (EventID: 33) (User: )
    Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
    Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
    Please use sxstrace.exe for detailed diagnosis.
    Error: (08/27/2014 00:31:18 AM) (Source: SideBySide) (EventID: 33) (User: )
    Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
    Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
    Please use sxstrace.exe for detailed diagnosis.
    Error: (08/27/2014 00:30:16 AM) (Source: SideBySide) (EventID: 33) (User: )
    Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
    Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
    Please use sxstrace.exe for detailed diagnosis.
    Error: (08/26/2014 04:37:50 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: program.com, version: 6.0.0.1130, time stamp: 0x53ed0696
    Faulting module name: program.com, version: 6.0.0.1130, time stamp: 0x53ed0696
    Exception code: 0xc0000417
    Fault offset: 0x0019ba66
    Faulting process id: 0xf4c
    Faulting application start time: 0xprogram.com0
    Faulting application path: program.com1
    Faulting module path: program.com2
    Report Id: program.com3

    System errors:
    =============
    Error: (08/28/2014 09:36:28 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
    Description: The following boot-start or system-start driver(s) failed to load:
    SASDIFSV
    SASKUTIL
    Error: (08/28/2014 09:36:14 AM) (Source: NETLOGON) (EventID: 5719) (User: )
    Description: This computer was not able to set up a secure session with a domain
    controller in domain NORTHCENT due to the following:
    %%1311
    This may lead to authentication problems. Make sure that this
    computer is connected to the network. If the problem persists,
    please contact your domain administrator.
    ADDITIONAL INFO
    If this computer is a domain controller for the specified domain, it
    sets up the secure session to the primary domain controller emulator in the specified
    domain. Otherwise, this computer sets up the secure session to any domain controller
    in the specified domain.
    Error: (08/28/2014 09:36:11 AM) (Source: EventLog) (EventID: 6008) (User: )
    Description: The previous system shutdown at 9:34:39 AM on ‎8/‎28/‎2014 was unexpected.
    Error: (08/28/2014 09:30:15 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
    Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WPDBusEnum service.
    Error: (08/28/2014 09:28:54 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The MBAMService service terminated unexpectedly. It has done this 1 time(s).
    Error: (08/28/2014 09:28:54 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    Error: (08/28/2014 09:28:54 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The Interactive Services Detection service terminated unexpectedly. It has done this 1 time(s).
    Error: (08/28/2014 09:28:46 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    Error: (08/28/2014 09:28:45 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The Intel(R) Rapid Storage Technology service terminated unexpectedly. It has done this 1 time(s).
    Error: (08/28/2014 09:28:45 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The Intel(R) Management and Security Application User Notification Service service terminated unexpectedly. It has done this 1 time(s).

    Microsoft Office Sessions:
    =========================
    Error: (08/28/2014 00:33:33 AM) (Source: SideBySide) (EventID: 33) (User: )
    Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\pitney bowes\pc meter connect\usbdriver\dpinst64.exe
    Error: (08/28/2014 00:31:19 AM) (Source: SideBySide) (EventID: 33) (User: )
    Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\konica minolta\printerdrivers\BZ751\Setup64.exe
    Error: (08/28/2014 00:30:14 AM) (Source: SideBySide) (EventID: 33) (User: )
    Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Program Files\Pitney Bowes\PC Meter Connect\USBDriver\dpinst64.exe
    Error: (08/27/2014 00:32:49 AM) (Source: SideBySide) (EventID: 33) (User: )
    Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\pitney bowes\pc meter connect\usbdriver\dpinst64.exe
    Error: (08/27/2014 00:31:18 AM) (Source: SideBySide) (EventID: 33) (User: )
    Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\konica minolta\printerdrivers\BZ751\Setup64.exe
    Error: (08/27/2014 00:30:16 AM) (Source: SideBySide) (EventID: 33) (User: )
    Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Program Files\Pitney Bowes\PC Meter Connect\USBDriver\dpinst64.exe
    Error: (08/26/2014 04:37:50 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: program.com6.0.0.113053ed0696program.com6.0.0.113053ed0696c00004170019ba66f4c01cfc16a111d3e8eC:\Users\bella\AppData\Local\Temp\SAS_SelfExtract\program.comC:\Users\bella\AppData\Local\Temp\SAS_SelfExtract\program.comd8489457-2d60-11e4-8b2e-e06995d2bdaa

    ==================== Memory info ===========================
    Processor: Intel(R) Core(TM) i3-2102 CPU @ 3.10GHz
    Percentage of memory in use: 71%
    Total physical RAM: 3493.4 MB
    Available physical RAM: 990.8 MB
    Total Pagefile: 6985.09 MB
    Available Pagefile: 4071.74 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1853.12 MB
    ==================== Drives ================================
    Drive c: (SYSTEM) (Fixed) (Total:455.33 GB) (Free:403.58 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Drive r: (New Volume) (Network) (Total:250 GB) (Free:173.81 GB) NTFS
    Drive t: (New Volume) (Network) (Total:250 GB) (Free:173.81 GB) NTFS
    Drive u: (New Volume) (Network) (Total:250 GB) (Free:173.81 GB) NTFS
    Drive w: (New Volume) (Network) (Total:250 GB) (Free:173.81 GB) NTFS
    ==================== MBR & Partition Table ==================
    ========================================================
    Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: 304647AA)
    Partition 1: (Active) - (Size=10.4 GB) - (Type=27)
    Partition 2: (Not Active) - (Size=455.3 GB) - (Type=07 NTFS)
    ==================== End Of Log ============================
     
  25. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Run FRST(FRST64) and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
     

    Attached Files:



Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.